Java ‘Icefog’ Malware Variant Affect US Businesses : worldleaks

A new report by Kaspersky Labs covers a newly found variant of the Icefog family. The original Icefog variant targeted government agencies and specific parties as well as maritime, military and ship-building groups.

Icefog is a Backdoor that allows hackers to get access to basic/key information about an infected system, and can allow attackers to monitor and control infected PC’s. It is also able to upload, download and install other forms of Malware for various aims, the main reason being to steal or edit data on the computer system.

“The Icefog operation has been functional for at least 2011, with many different variants released during this time. For Microsoft Windows PCs, we identified at least 6 different generations:

The “old” 2011 Icefog – sends stolen data by e-mail; this version was used against the Japanese House of Representatives and the House of Councillors in 2011.

Type “2″ Icefog – interacts with a script-based proxy server that redirects commands from the attackers to another machine.

Type “3″ Icefog – a variant that uses a certain type of C&C server with scripts named “view.asp” and “update.asp”

Type “4″ Icefog – a variant that uses a certain type of C&C server with scripts named “upfile.asp”

Icefog-NG – communicates by direct TCP connection to port 5600

In addition to these, we also identified “Macfog”, a native Mac OS X implementation of Icefog that infected several hundred victims worldwide.”

From September-October 2013, Icefog has become completely idle; all the Command and Control (C&C) servers have since been shut down by the malware writers and operators. The malware family are now back online and welcome a new Java variation of Icefog, called “Javafog”.

Javafrog uses the same payloads as the original Icefog campaign; it installs other specific Malware on to a victim’s computer, granting communication with Icefog C&C servers. The main difference between them is that Javafrog’s coding is written in Java.

Kaspersky have confirmed that there may be prove that many major US Corporations may have already been affected by Javafog!

“By correlating registration information for the different domains used by the malware samples, we were able to identify 72 different C&C servers, of which we handled to sinkhole 27.”

Sinkholing is basically the method of redirecting specific IP address network traffic for security reasons. Such examples of these reasons include efforts to divert potential attacks, to analyse network traffic or to try to detect suspicious activities.

“During the sinkholing operation, we observed eight IPs for three unique victims of Javafog, all of them in the United States. Based on the IP address, one of the victims was named as a very large American independent oil and gas corporation, with operations in many other countries.”

Obviously, the Javafog malware is much harder to detect and trace than the original variant, and the current detection rates for the malware are very low.

“Java malware is not as popular as Windows Preinstallation Environment (PE) malware, and can be harder to spot,”

At the moment, you shouldn’t be too related. Nonetheless, if you think that you may have been affected by similar Malware, you might find detection difficult for a while. Nonetheless, scan with your Antivirus and Anti-Spyware solutions if you’re worried.

For Icefog and Javafog, Kaspersky products are now able to detect all known variants.